Xml Reader

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local XML parsing helper with ordinary file-reading risk and a small documentation scope mismatch, but no evidence of hidden execution or data theft.

Install only if you want the agent to read local construction data files you provide. Keep XML inputs trusted and reasonably sized, and treat the CSV/Excel/JSON wording as extra capability to verify before relying on it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The manifest describes a skill focused on reading and parsing XML from specific construction systems and converting that data to pandas DataFrames. These instructions additionally claim the skill accepts CSV, Excel, and JSON input and offers export to Excel/CSV/JSON, which materially broadens the documented behavior beyond XML reading/parsing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal